The largest supply-chain attack ever… | Fireship | YouTubeToText
YouTube Transcript: The largest supply-chain attack ever…
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Available languages:
View:
Yesterday, every JavaScript developer in
the world, choked on their artisal oat
milk latte after npm, the package
manager holding the entire web together,
got wrecked in the largest supply chain
attack in its history. Packages with
over two billion weekly downloads
stopped saying hello world and instead
said hello to some guy's crypto wallet.
Most notably, it affected Chalk, a
utility that makes your terminal look
like the Castro District, which has
hundreds of millions of downloads and
created a domino effect across the
entire JavaScript ecosystem. And sadly,
it's not the first, second, or even
third time this has happened. Crypto
bros are constantly exploiting
JavaScript Bros. And once again, the MPM
package that you blindly trusted when
you ran npm install contains bad code
designed to steal your cryptocurrencies.
Luckily though, the malicious code was
quickly discovered and neutralized. But
in today's video, we'll find out how a
massive exploit like this is even
possible. It is September 9th, 2025, and
you're watching the code report. So,
here's what went down yesterday. A
developer named Josh Junan, who goes by
Quicks Online, wakes up to what looks
like an official email from MPM support.
And it stated in no uncertain terms,
"Your account will be locked on
September 10th unless you update your
2FA." Now, like I said before, Josh is
the maintainer of some pretty important
packages like chalk, debug, Anzi styles,
and a bunch of other utilities that
other developers depend on.
I'm kind of a big deal.
Almost every nodebased CLI tool depends
on one of these packages. The email
looks legit and it's coming from support mpmjs.help
mpmjs.help
which looks official, right? Wrong. It's
actually a classic fishing attack. Even
though Josh is very smart and a much
better developer than you or I, he
clicked the link, entered his
credentials, and gave attackers full
control to his npm account and the
ability to publish new code to these
popular packages. And combined, these
packages get over 2.5 billion weekly
downloads, which is a crazy number.
Realizing they just struck gold, they
almost immediately start publishing new
versions of these packages. But here's
where things get interesting. It wasn't
just some generic malware, but rather a
cryptospecific attack targeting web 3
users. The bad code would inject itself
into a web browser and monitor
cryptocurrency transactions through
things like MetaMask. Then when a user
tries to send Bitcoin or Ethereum to one
of their friends, it silently swaps out
the destination address with one of the
attackers crypto wallet addresses. This
type of malware is commonly known as a
crypto clipper. But one thing that's
interesting is that it doesn't just
select a random address. Instead, it
uses the Levenstein distance algorithm
to calculate the visual similarity
between two strings. That means when the
swap occurs, it's much harder for the
end user to detect that anything has
changed. For example, the Levenstein
distance between dude and bro is four,
but the distance between bra and bro is
only two. And the attackers use this
algorithm to find a wallet address that
would be the least obvious to the human
eye when the swap occurs. Now, these
packages were compromised for about 2
hours before the community caught on.
But in those two hours, they were
installed millions of times across CI/CD
pipelines, development environments, and
production systems around the world. And
the big question is, how much money did
the attackers actually steal? You would
think it needs to at least be hundreds
of millions of dollars. But in reality,
they only got away with about $50 worth
of Ethereum. That was a close call, but
it's a wakeup call for JavaScript
developers that maybe we need some
additional safeguards on these popular
packages. Or maybe we should rename npm
install to npm prey because every time
you use it, you need to pray the code
you're installing on your machine wasn't
compromised by crypto bros a few hours
ago. Or maybe you shouldn't even use
JavaScript for backend and only use it
for UI design like God intended. And the
best place to get some fresh UI
inspiration is mobin.com, the sponsor of
today's video. I've been using Mobin for
5 years now because it provides highly
detailed breakdowns of every screen in
thousands of popular applications. As a
developer, you can steal, I mean, get
inspired by these patterns and implement
them in your own applications. You can
analyze entire user journeys, UI
elements, and screens from over 1,000
highly successful web and mobile apps.
And you can even bring them directly
into Figma to kickstart your design
process. Try Mobin for free right now
with the link below, and you'll get a
20% discount. This has been the code
report. Thanks for watching and I will
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
